1 / 12

TERENA TF-EMC2 Workshop David Groep, 2004.11.04

http://www.eugridpma.org/. TERENA TF-EMC2 Workshop David Groep, 2004.11.04. A PKI for Grids. PKI model fits the lack of hierarchical relations between users and resources in the Grid Users can join collaborations (VOs), that are independent of both resources and home organisations

yul
Download Presentation

TERENA TF-EMC2 Workshop David Groep, 2004.11.04

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. http://www.eugridpma.org/ TERENA TF-EMC2 WorkshopDavid Groep, 2004.11.04

  2. A PKI for Grids • PKI model fits the lack of hierarchical relations between users and resources in the Grid • Users can join collaborations (VOs), that are independent of both resources and home organisations • mainly unilateral trust relations (RP/subscriber -> CA)limited mutual trust (CA->CA within PMA) • Both users and services need a credential • Revocation: • of authZ via the VOs, • of AuthN via the CAs (latter only of the identity is compromised)

  3. The EUGridPMA European Grid Authentication Policy Management Authority for e-Science • Coordinates authentication for people and services for European, national, and related Grid projectsEGEE, DEISA, SEEGRID, LCG, … • PMA manages authentication guidelines policies • Trust domain for research and academic grids

  4. Certificate Authority Coordination • Evolved from the CA Coordination Groupin DataGrid, CrossGrid, LCG, … • collection of national and regional CAs • better local identity vetting • national legislation • all meet or exceed minimum requirements • identity checking (in-person, photo-ID) • physical security (signing key protection, storage) • naming (unique certificate names) • revocation (updated lists, retrieval) • Clearly defined accreditation procedure • Basic tools and distribution mechanisms

  5. Accreditation process • Codification of procedures in a CP(S) for each CA • de facto lots of copy/paste, except for vetting sections • Peer-review process for evaluation • comments welcomed from all PMA members • two assigned referees • In-person appearance during the review meeting

  6. Accredited Authorities • Everyone (almost) in Europe has a national CA • Green: CA Accredited • Yellow: being discussed Other Accredited CAs: • DoEGrids (US) • GridCanada • ASCCG (Taiwan) • ArmeSFO (Armenia) • CERN • Russia (HEP) • FNAL Service CA (US) • Israel • Pakistan

  7. The Catch-All CAs Project-centric “catch all” Authorities • For those left out of the rain in EGEE • CNRS “catch-all” (Sophie Nicoud) • coverage for all EGEE partners • For the South-East European Region • regional catch-all CA • For LCG world-wide • DoeGrids CA (Tony Genovese & Mike Helm, ESnet) • Registration Authorities through Ian Neilson

  8. Distribution RPM distribution to facilitate deployment projects • validation must be done via TACAR (or out-of-band means) • releases contain • CA root cert • CRL URL • CA URL • namespace-policy file (used by software for enforcement) • dependency information (for hierarchical PKIs) • meta-RPMs “ca_policy_eugridpma” for triggering dependencies in install software (yum/apt) • releases every ~ 4-12 weeks

  9. EUGridPMA Americas PMAbeing formed APGridPMA Global interoperation • PMAs collaborate bilaterally in an interoperation framework: the International Grid Federationsee www.gridpma.org

  10. Commonality • Common services to all European eInfrastructure • EUGridPMA: • All EU Grid infrastructure FP6 programmes • CAs also cover inter-organisational national projects • TERENA TACAR provides the trust validation • Grid projects rely on TACAR to validate roots-of-trust • Minimum Requirements form bases of IGF • Coherency in AP modelled on EUGridPMA • Americas are planning to build an AMSGridPMA

  11. Current topics of discussion • Continuing updates to minimum requirementsas experience growsto comply better with evolving Grid middlewareto comply with evolving industry standards • User key hygiene worries aboundCan the user be trusted with key care? (hardly…) • Complexity for users, servicesthe server-certificate service! • On-line CA methodologiesGuidelines and Minimum Requirements Site-local solutions (SIPS) Active Certificate Stores (credential repositories, escrow services) CA-generated key pairs and ease-of-use

  12. http://www.eugridpma.org/

More Related